MoMusings

PDA Viruses Could Get Nasty - PCWORLD

LAS VEGAS–Black Hat Briefings conference.

The first virus aimed at Pocket PC handhelds, revealed last week, could be far worse if it were modified slightly to carry a harmful payload, said Seth Fogie, a vice president of Airscanner, which develops security software for the Window Mobile platform.

Fogie demonstrated several malicious tools he has created. The programs work properly only on Pocket PCs that use ARM processors–the same kind of devices that are vulnerable to the Dust virus. Such devices make up the majority of Pocket PC handhelds sold today.

Among Fogie’s tools are a keystroke-logging program, a virtual remote control application that runs undetected, and an FTP server applet that could be modified to run invisibly in the background. Rogue applications of these sorts typically spread as Trojan horse programs when PCs are infected with a virus. They allow virus writers to steal or manipulate data, or to make mischief.

This blog will not always have articles or comments about specific malware related topics that grab my attention, or that I want to air [or get asked to comment on]. Today is a perfect example of what else I might blog about, as it is a mixture of snippets from malware related news stories and some technical ’stuff’ for those that ‘need’ their daily ‘fix’ of new or breaking ‘threats’.

Bulk of year’s PC infections pinned to one man (CNet)

“Sven Jaschan, self-confessed author of the Netsky and Sasser viruses, is responsible for 70 percent of virus infections in 2004, according to a six-month virus roundup published Wednesday by antivirus company Sophos.” - Link to Full Article

Related to this …

Sophos, a world leader in protecting businesses against viruses and spam, has released a report which reveals that the number of new viruses being written is increasing. In total, Sophos has detected and protected against 4 677 new viruses in the first six months of 2004, up 21% on the same period last year. - Link to Full Article

A single ’superworm’ attack could cost business as much as $50bn

Pete Simpson, ThreatLab manager at Clearswift, examines research that estimates the possible economic impact of a ‘worst-case worm’ attack.

Estimating the damage that serious worm infections cost businesses is a tough job, and in the past some puzzling figures have emerged.

That’s why a recent analysis by academics Nicholas Weaver and Vern Paxson, members of the International Computer Science Institute (ICSI), is worth attention. - Link to Full Article

The full Weaver and Paxson report is available here.

Details of Microsoft antivirus software leak out

An executive of Microsoft in France divulged on Wednesday some of the software maker’s plans for its highly anticipated entry into the antivirus software market.
A standalone antivirus product will be built from tools the company inherited through its 2003 acquisitions of GeCad and Pelican Software, -
Link to Full Article

More multi-component malware found.

I trapped yet another Ranky and SdBot RAR SFX dropper package yesterday. The file CAJUN.EXE gets dropped to the root of a Windows share and when launched it unpacks the two components [BNNBNBF.EXE and NNBBF.EXE] and installs them. The samples were duly sent to the AV vendors and researchers that I send samples of new malware to.

Details of the dropper and the extracted files appear below:

File name: cajun.exe
File Date/Time: 23/07/2004 13:54:42
File Size: 115767
MD5 Hash: 8322e9c935fbe4592e3b1e62ce0d03ee
CRC32: E67127AA
File Type: PE Executable, RAR SFX
Packer: UPX
Sample trapped by WormCharmer*.

Details of the two files in the RAR SFX detailed above:

File Name: bnnbnbf.exe
File Date/Time: 18/07/2004 23:35:26
File Size: 46592
MD5 Hash: 73bcf810ebebb140a814dfb55998a739
CRC32: 2154466B
File Type: PE Executable
Packer: UPX
	
File Name: nnbbf.exe
File date/Time: 18/07/2004 23:35:26
File Size: 19968
MD5 Hash: 531f05c2e2a97ffdc3a687dd721ae161
CRC32: 293411BA
File Type: PE Executable
Packer: UPX

These have now been identified and most AV products should now detect them:

bnnbnbf.exe infected: Backdoor.SdBot.np [Kaspersky]
nnbbf.exe infected: TrojanProxy.Win32.Ranky.an [Kaspersky]

Good news for those that use my SNORT signatures, the existing Ranky and SdBot Dropper signature identifies all variants of the droppers that I’ve so far trapped.

This bring my total up to 65 new ones so far this year.

Please drop me a line if you would like me to post future trapped sample data to this blog.

*If you want to find out more about WormCharmer, then see here.

Huzzah!…oh, hang on a minute - not that sort of throttling, *****!

The upcoming Windows XP Service pack 2 (SP2) includes a feature designed to throttle the number of connections that can be attempted per second by the TCP/IP stack. The thinking behind this is stop (or slowdown) the next Blaster or other similar worms.

Here is what a spokesperson from Microsoft had to say:

“Thanks very much for responding. This new feature is one of the stack’s “springboards”, security features designed to proactively reduce the future threat from attacks like blaster and Sasser that typically spread by opening connections to random addresses. In fact, if this feature had already been deployed, Sasser would have taken much longer to spread.”

I wonder if they are paying HP for the use of this technique, as it was first postulated as a way to ‘throttle’ worms by HP researchers based in the UK?

For those that like to take things apart to see how they work [and don’t end up with bits left over after reassembly], you can find more data here, this is a Adobe Acrobat PDF

There is an interesting discussion about this feature here, please ensure that you are a fully qualified propellor head and have paid any outstanding ‘geek’ membership subs before entering here

So what does this really mean when we look at how it might help in the fight against malware?

My own feeling is that in the short term this technique will for a while help slow or otherwise hobble flash-worms and other network worms that fire off lots of packets very quickly. However, I believe that one or more of the following may happen:

• Malware writers will adjust and use slow-infection methods to bypass the technique.
• Flaws will be found in the Microsoft implementation, and these will be used to devastating effect [again].
• Malware authors will find a way to disable or completely bypass the technique.
• They will move onto other techniques or platforms that are easier to attack as they don’t offer this feature.

Well, enough thoughts on this subject for now, after all only time will tell if Microsoft actually do really want to take security seriously, they are certainly talking-the-talk, let’s see if they can walk-the-walk…

Anyone else have any suggestions or thoughts on this?

UPDATE: Well it took even less time than I expected for someone to find out how this works and to reverse the change…Nice try Microsoft, back to the drawing board for you!

Well, yesterday’s MyDoom event has come and almost gone - something of a flash-in-the-pan for most of us, but something nasty is knocking on systems that were infected looking for the open backdoor…

Yes, MyDoom.O (or M or a pile of other letters, depending on your preferred AV vendor*) opens a backdoor, and listens…

And who should come calling? Another piece of malware written by the same author, now isn’t that a surprise?

This new nasty is known as Zindos, and it uses the lists and the backdoors, prepared by Mydoom.M (or O, or …), to quickly spread and hit its target, which is [drum roll please!!!] www.microsoft.com.

For those of a curious nature, you can find more data here

* Yes the AV vendors one day will actually come up with a system that means ALL vendors will call [insert malware and/or variant here] by the same name…..It is difficult enough for us who ‘Do Security’ for a living to understand the mess and confusion this causes, [insert diety of choice here] help the poor old average Jo Schmos, they don’t stand a chance!

UPDATE: Lurhq has published an excellent writeup with many details about the Zindos, the worm taking advantage of MyDoom infected systems.

Well, It’s Monday and like last Monday we’ve started off with a bang. This afternoon what do I find in my e-mail inbox but an e-mail that has all the hallmarks of a new mass-mailing malware being seeded.

So, is it me or have the malware authors suddenly changed their preferred seeding day from Friday (PM) to Monday (AM)?

It wasn’t classified as Malware by my spam filtering, it got past my e-mail scanner, so it is either a new variant or a new mass-mailing worm altogether.
Some testing and scanning later, it seems to be a new variant of the MyDoom family!

Some basic data on it below:

This MYDOOM worm, like earlier variants, spreads via email through SMTP (Simple Mail Transfer Protocol). It gets its target recipients from the Windows Address Book.

Using social engineering techniques, this worm sends out an email with a spoofed sender’s name and an email message that generally poses as a failure delivery notification. The email it sends has varying subjects, message bodies, and attachment files.

On execution, this worm drops a copy of itself as JAVA.EXE in the Windows folder.

This worm runs on Windows 95, 98, ME, NT, 2000, XP.

Here is an example of what the e-mail message may look like:

Dear user winnt@ mydomain.com,

The mydomain.com support team.

Most vendors are calling it MyDoom.M or MyDoom.O

More details on can be found here

UPDATE: MyDoom was also responsible for the failures with a number of search engines as it used these to find new victims to mail itself to. The most affected search engine was Google, which was reported to be down for a while.

Well what a week it has been, busy and interesting to boot!

I hear you ask “what’s the fuss with the new Bagles, what is so special about them?”, and a good question it is to. Well you asked so here’s the answer…..

It is believed that unlike most other malware, the Bagles (it is believed) are written by professional programmers, probably in the pay of spammers. All of the ones listed below got to a Medium alert stage this week.

More details on Bagle.ai can be found here
More details on Bagle.ag can be found here
More details on Bagle.af can be found here

As I write this we have now got up to Bagle.ak…it does seem that the Bagle Boys have nothing better to do!

Osama Hanged - NOT!

Just another case of ’social-engineering’ to try and get YOU to download and install a backdoor program.

The messages which are being posted to Usenet (NNTP) try to get potential victims to visit a website where a file can be downloaded, claiming it contains photographs of Osama hung, when it really contains a Trojan known as ‘Hackarmy’. Hackarmy gives malware writers control over an infected system.

Well, I suppose it makes a change from using porn to spread their malware….

More details can be found here

UPDATE: Well, looks like Arnie (I’ll Be Back) Schwarzenegger has also been used to try and tempt users to download and run this backdoor/trojan. The NNTP postings claimed that Arnie had commited suicide…

Here’s the posting, without the link to the infected file on the website:

Early this morning Arnold Schwarzenegger was found hanging by his neck from the large oak tree in his Californian garden. In a suicide note found at the scene he tells of his sordid sex life and lack of will to live. A copy of the suicide note which was found by journalists has been included here

Link to The Register Article

Virus Humour: Arnold Schwarzenegger virus : Terminates and stays resident. It’ll be back.

Well, we’ve been saying for sometime that PDAs and Mobile Phone Malware were possible, and likely to appear soon.

Back in September 2000 we had the first Palm OS malware (Phage), since then it has been kind of quiet on this front, well until this year anyway…

So far this year we’ve had the first Mobile Phone malware ‘Cabir’ aka ‘Carib’ which uses BlueTooth to spread from phone-to-phone. Now, the first Windows CE/Pocket PC malware has been found. This is currently known as ‘Duts’. Like ‘Cabir’ this new CE/Pocket PC malware is a POC (Proof-Of-Concept) written just to show it can be done. Both were written by the 29A Virus Writing Group.

More data on ‘Cabir’ can be found here: Cabir
More data on ‘Duts’ can be found here: Duts
More data on ‘Phage’ can be found here: Phage

The malware authors are yet again releasing new strains on a Friday afternoon. This is so that their creations have the whole weekend to establish a ‘beach-head’ on as many vulnerable systems as possible, so that it can spread further and faster by start-of-business on the following Monday.

The malware authors are yet again releasing new strains on a Friday afternoon. This is so that their creations have the whole weekend to establish a ‘beach-head’ on as many vulnerable systems as possible, so that it can spread further and faster by start-of-business on the following Monday.

The shame (for them) is that I (and others) catch many of these new (unknown) samples within hours of them being released onto the internet.

I caught three new malware this weekend, two were Ranky/SDbot droppers, and the other was a new Dedler variant. This brings my total for this year (so far) to 61 new (unknown to the AV companies) malware.

According to Peter Szor (of Symantec) the number of Win32 malware grew by 300% when compared to the same period last year.

From my own experience, I can confirm that there has been a major ramp-up in production of Win32 bots, such as Randex, Gaobot and Spybot (and a number of other bots families too).

The other trend seesm to be toward multi-component malware, which when executed drops and installs a bot (Remote Access Trojan) and some other component such as a proxy.

Looks like it is going to be another busy year for us.